Your message dated Sun, 17 Mar 2013 11:02:46 +0000 with message-id <e1uhbmu-00083x...@franck.debian.org> and subject line Bug#701649: fixed in libvirt 0.8.3-5+squeeze4 has caused the Debian Bug report #701649, regarding libvirt-bin - libvirtd changes permissions of devices to libvirt-qemu:kvm (CVE-2013-1766) to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 701649: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=701649 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libvirt-bin Version: 1.0.2-2 Severity: critical Tags: security libvirtd changes the permissions of lvm devices it assigns to guests to libvirt-qemu:kvm. kvm is a general group and not restricted to libvirt. The allows other users write access to this devices. I'm right now unsure if the Wheezy version is affected. | brw-rw---T 1 libvirt-qemu kvm 254, 11 Feb 25 17:08 /dev/dm-11 | brw-rw---T 1 libvirt-qemu kvm 254, 12 Feb 25 17:50 /dev/dm-12 Bastian -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.7-trunk-amd64 (SMP w/4 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash
--- End Message ---
--- Begin Message ---Source: libvirt Source-Version: 0.8.3-5+squeeze4 We believe that the bug you reported is fixed in the latest version of libvirt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 701...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Guido Günther <a...@sigxcpu.org> (supplier of updated libvirt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 09 Mar 2013 17:03:01 +0100 Source: libvirt Binary: libvirt-bin libvirt0 libvirt0-dbg libvirt-doc libvirt-dev python-libvirt Architecture: source all i386 Version: 0.8.3-5+squeeze4 Distribution: stable-security Urgency: low Maintainer: Debian Libvirt Maintainers <pkg-libvirt-maintain...@lists.alioth.debian.org> Changed-By: Guido Günther <a...@sigxcpu.org> Description: libvirt-bin - the programs for the libvirt library libvirt-dev - development files for the libvirt library libvirt-doc - documentation for the libvirt library libvirt0 - library for interfacing with different virtualization systems libvirt0-dbg - library for interfacing with different virtualization systems python-libvirt - libvirt Python bindings Closes: 701649 Changes: libvirt (0.8.3-5+squeeze4) stable-security; urgency=low . * [9d7846f] CVE-2013-1766: Use libvirt-qemu as group to run qemu/kvm instances. This makes sure we don't chown files to groups possibly used by other programs. (Closes: #701649) Checksums-Sha1: e8ef92c5d05db518e1b6c71a3fa224519e9027f4 1910 libvirt_0.8.3-5+squeeze4.dsc 43ef8845e0300b461c7dcd55dadf2f56111394b8 37556 libvirt_0.8.3-5+squeeze4.debian.tar.gz 87f7af5fb204a6175d0db7ed321deb5359d25eb0 1123904 libvirt-doc_0.8.3-5+squeeze4_all.deb b2493341c5fe3666a21c14149d05dae399c07386 1023018 libvirt-bin_0.8.3-5+squeeze4_i386.deb a925e240f196e30d440f782b349acfa205331451 955254 libvirt0_0.8.3-5+squeeze4_i386.deb 9c76ee5a08ee5d72e972acdee695ace98d74338d 3049776 libvirt0-dbg_0.8.3-5+squeeze4_i386.deb 91b70c9abf07ec743d9e3b93947e01459a2dd2a0 1177068 libvirt-dev_0.8.3-5+squeeze4_i386.deb a9335d7c675c92a60bd1f0d3c71fca5562851ddc 440196 python-libvirt_0.8.3-5+squeeze4_i386.deb Checksums-Sha256: 173f3fd5d88da343894c280e8ed3271f145e8ccd5bbbaccf63d5670dd4b860d6 1910 libvirt_0.8.3-5+squeeze4.dsc fb5852b3ffa4e1d97de17d50c31cf880e7149c48396ebad933b098c9a131ac10 37556 libvirt_0.8.3-5+squeeze4.debian.tar.gz 86b837cf2f1bb5799742f237807daecb67733d470e0dcb5dd80d764e52196946 1123904 libvirt-doc_0.8.3-5+squeeze4_all.deb b8894451c4f06746c010deaadd1df4a2dba673442388d48345942b683b29dad9 1023018 libvirt-bin_0.8.3-5+squeeze4_i386.deb 7c5f42ffd49b1fabd1dabf0acba23519df13ee04da3f994c0c15aa0b8fad16c5 955254 libvirt0_0.8.3-5+squeeze4_i386.deb 029acc4ef054605ea291dc89401bdc2a1565408646f78fb81178ced20de3fdff 3049776 libvirt0-dbg_0.8.3-5+squeeze4_i386.deb 9ac65d0f962a231e16b9d7d32d125351cefb84afd7d730391b486a34a3e7748c 1177068 libvirt-dev_0.8.3-5+squeeze4_i386.deb 269573cff75b1c6b8057eba921c6f3fdb165a31e207a0ff885eac43f5fbac751 440196 python-libvirt_0.8.3-5+squeeze4_i386.deb Files: 83b4eb8528e557f271baedc6258fa9de 1910 libs optional libvirt_0.8.3-5+squeeze4.dsc 39eaddaafcc8df19f3edcc2b5761f96f 37556 libs optional libvirt_0.8.3-5+squeeze4.debian.tar.gz 4bee11c0a47daf8a1df11a7ad5634441 1123904 doc optional libvirt-doc_0.8.3-5+squeeze4_all.deb 227c0b6255c0f3272e805e7805af6173 1023018 admin optional libvirt-bin_0.8.3-5+squeeze4_i386.deb a325d5148d2efc33c3bf25d9bdf130ef 955254 libs optional libvirt0_0.8.3-5+squeeze4_i386.deb a0bf161bb05833a2a2b1701494be83c6 3049776 debug extra libvirt0-dbg_0.8.3-5+squeeze4_i386.deb 08ff59cf9f3df86789b180704d6dd01a 1177068 libdevel optional libvirt-dev_0.8.3-5+squeeze4_i386.deb ca661f802630c6b1493627ac8ef9060b 440196 python optional python-libvirt_0.8.3-5+squeeze4_i386.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iD8DBQFRQx7tn88szT8+ZCYRAiSFAJ4+o3p/61MxFc7cpowhfMsBmiSdxwCfeYY2 BLkH/UPZ9k18hRLrj4xLHik= =CblW -----END PGP SIGNATURE-----
--- End Message ---
